There were widespread security concerns yesterday after the discovery of an old flaw that could affect web servers and Internet-connected devices – but many in the industry are claiming it presents no immediate threat to bitcoin services.
The vulnerability, dubbed either the 'Bash Bug' or the 'Shellshock Bug', would allow a malicious access to a UNIX-based device's operating system via the command line shell – the most widely used of which is bash.
UNIX-based systems include MacOS, Linux versions (desktop and server), popular mobile platforms and embedded systems on other devices that communicate online.
, bitcoin core developer and now senior software engineer at BitPay, however, said there is no clear and present danger to bitcoin users.
"Prediction: bash bug NOT bigger threat than heartbleed," he posted on a Reddit thread.
Garzik told CoinDesk that, while the newly-discovered bug had the potential to be bad, "most online services using bitcoin are far more secure than your average home router".
He added that the Bash Bug would impact mostly non-bitcoin sites, and was being over-hyped.
Bitcoin a target?
At this stage, there are no reports of any exploit of the Bash Bug affecting any bitcoin-related services. So why care at all?
Bitcoin services may potentially be a more attractive target for hackers and thieves than more established, fiat-based services like online banking and PayPal.
There are two historic reasons for this: poor security implementation at some early-stage online bitcoin services, and the reluctance of authorities to investigate or punish digital currency crimes, unless they suspect drugs or money laundering are involved.
Therefore it is best to at least be aware of potential problems developers and services may face.
One exchange's view
Yan Chuan or 'YC', CTO of exchange BitBays.com, said the bug was "relatively easy for hackers to use", and recommended all users patch, back up logs, and check systems to see if any attack had occurred.
Because the bug allowed malicious hackers full access to an operating system there was potential for any kind of attack, from stealing bitcoin wallets to installing keyloggers and backdoors.
YC said bitcoin itself would not be affected due to its decentralized structure.
Since Windows is not UNIX-based, its desktop users would not be affected themselves. BitBays' platform is prepared, YC continued, but concerned users of other platform might like to ask their exchange or wallet service about the situation if unsure.
The Bash Bug vulnerability stems from a serious security flaw that exists in the bash (Bourne Again SHell) command 'env'. It affects the local shell, as well as SSH, FTP, HTTP, and other important services.
YC explained how the bug could be exploited, saying that many web servers send the user’s HTTP request information (REMOTE_HOST), REQUEST_METHOD, QUERY-STRING, etc) stored in an environment variable, to the backend Web framework or CGI scripts.
If this information includes malicious instructions, the next time the server executes bash it will execute the malicious instructions. Thus, the server is compromised.
At present, the popular Apache + PHP and Nginx + wsgi frameworks are vulnerable.
No quick fix
According to Red Hat, which issued its own security advisory, many programs access the bash shell in the background. Several Linux distributions have already made patches available, including Red Hat Enterprise Linux, Debian, Ubuntu and CentOS.
The bug, which has actually existed for more than 25 years before the release of today's news, could affect millions of devices and leave much older ones in need of patching. It is the sheer number of devices in need of patching, rather than the flaw's complexity or known exploits, that has some experts concerned.
Bug image via Shutterstock
CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk offers all employees above a certain salary threshold, including journalists, stock options in the Bullish group as part of their compensation.